Industry Committee on Oct. 17th, 2017

You're speaking about a case scenario in which a company goes on, or an individual....

I'll just speak generally. The act contemplates various circumstances in which you'll have authority to reach out. The entity in question could have gotten express consent under the act. There are very prescriptive requirements to do so, as I mentioned before, but they could rely on express consent. Or there are a series of implied consent provisions, which are very detailed, and which say, for instance, that if you made a purchase within the last two years, you're able to reach out and do so; or if you have a written contract, for the duration of that contract and two years thereafter you can reach out. So assuming it's a commercial kind of message—

Now, depending on the message—and this illustrates the complexity—either subsection 6(6) might apply or one of several exemptions could apply. It depends on the very specific context.

I think the problem is, as Mr. Geist has mentioned, we really don't have enough information. We have some statistics that are quite old, from 2015, to suggest there's been a reduction in overall messaging, including of legitimate messages. To Mr. Masse's comment, the question we have to ask ourselves from a policy standpoint is how we ensure that it is a privilege to use electronic means to communicate, much as it is a privilege to collect, use, and disclose personal information. It's not a right. It has to be, however, through a balanced framework. What I am personally suggesting is that the framework as reflected in CASL doesn't strike the appropriate balance, and that there's an opportunity for all stakeholders and all parties to work together to get the balance right.

I just note—and it's come up now a couple of times—that there's this notion that there are the really bad actors, the spamming organizations, and everyone is in agreement that we have to target them; and then there's an attempt to characterize all the other businesses as not being bad actors. I don't doubt for a moment that Rogers, my carrier, is not a bad actor, but I will say that if you are sending me messages when you have not obtained my consent that is a bad act. I think we have to recognize that there are lots of legitimate businesses that may even still want to comply but that are, I would argue, misusing our personal information without obtaining appropriate consent. That's a bad act, and that's what the law's designed to target. If we contemplate moving back to implied consent, then we're right back to where we started from. The task force looked at whether or not PIPEDA was effective in dealing with spam, and the conclusion was that it was not. One of the core reasons was that implied consent just doesn't work in this context. It will be obvious to all of you, given the number of times, I'm sure, you've received messages from a legitimate business while you can't for the life of you understand why you're getting this message. The reason is that these businesses often rely on implied consent to be able to send out those messages.

Sure. I'll start that off for you. Thank you.

I think what we're seeing is that there is subsection section 6(6), which we spoke about, which says that in these scenarios, you can send the messages to the customers. You don't need consent to send the messages, but they must follow the form and content of CASL requirements, so they must have an unsubscribe mechanism.

My point is that certain messages we will send to our customers either because we're required by law to send them or because it's the good customer experience. For example, if you need to know something from us, we'll send it. To put the unsubscribe at the bottom gives the wrong impression; it creates confusion for consumers. When I'm required to send you a message and I put in the unsubscribe, and then you click on it, you think you're unsubscribing. But really, are you unsubscribing? I'm still going to send you the message, because I'm required to send the message. It creates confusion.

I've heard from other businesses that they just don't send those types of messages because they're not sure how to do that. Maybe they've resorted to other means of contacting their customers, such as direct telephone calls or direct mail. I would argue that's a negative impact and an inadvertent, unintended consequence.

Regarding public safety messages, there's an exemption in CASL that will allow messages to be sent for public safety reasons, but there's confusion created by the requirement to have an unsubscribe in a message that the business is still going to send the customer because they're required to send it or it's.... For example, you need to tell the customer if they signed up for online billing that their bill is available for them to look at. How are they going to know their bill is available otherwise? If they're unsubscribing from it, and then you send them the next month's bill, that's where the problem is created.

You asked how we can have this confusion. I think we've seen it happen on this panel just in the last number of minutes.

The panel was asked a question that I thought Mr. Kardash effectively responded to with the use of a case from Mr. Jeneroux. He started by saying that if you have explicit consent, you can go ahead and do this, and then he proceeded to talk about the various exceptions.

The problem is that we get bogged down in the various instances of how you can do this if you don't get someone's consent. The starting point again and again in many of these instances is to get consent. If we're talking about something different, not about the ability to message but instead this potential for confusion with an unsubscribe, surely that's an issue that can be fixed for a public safety message. It's not that we can't send it, but there's an unsubscribe issue. That is a far cry from the doomsday scenarios this committee has been hearing about in the last number of hearings, moving from “Can you please fix an unsubscribe mechanism in a public safety message?” to somehow that e-commerce is going to stop in Canada if this law continues.

I think the first point is that we need to simplify the law. We need to make more clear what it applies to and to make it more flexible and adaptive, so that you can explain it to a business and they'll understand it and say, “Oh, this what I need to do to comply.”

As people on the panel have been mentioning, part of the problem is that there is a range of things that are exempt or not exempt, and in some circumstances they work, but in some they don't. This is why businesses, large and small, need lawyers and consultants: to tell them how to comply.

It's no surprise that a lot of people fall asleep when they start hearing about it or ignore it if they don't have to pay attention to it, because people who do have to pay attention to it are—rightly—very confused by it. I think the first thing needs to be simplifying it and making it easier to comply with.

After that, of course, the CRTC needs to become a partner in this. They need to reach out to business.

I agree with that. I agree with the premise of the question, and I think it's a question best posed to the enforcement agencies as to why they haven't targeted those—

My comment is twofold.

One, I think the CRTC has failed to target, as I think you rightly point out, the remaining large spamming organizations. From my perspective, it's inexplicable, given that we know where they are. It was amazing when the law was being crafted and we had at least one large Canadian-based spammer who was openly blogging and laughing about it, and in a sense almost urging enforcement, and yet we haven't seen that. I do think they've fallen short in that regard.

On the other hand, I certainly have some amount of sympathy for large businesses that say they feel they're being targeted. I think in some ways it links a bit to your first question on how we can ensure that businesses are at least aware of the legislation. There is, I think, a certain element which is that the CRTC is going to go after some of the bigger fish, so to speak, partially because they ought to know better—they have the resources to do it—and partially I think because that may actually assist in ensuring there is the effect of having many other businesses becoming more aware of their obligations under the law.

I'm happy to tell you that as a task force we met with law enforcement regularly. It was a real challenge at the time in regard to convincing them that some of these issues rose to the level of deserving some of their attention and the use of their scarce resources.

Years later, when we take a look at what we've seen, particularly in some of the malware cases, let's say, and some of the other major sorts of cases.... It's not that I think we should be looking for law enforcement to say that they're going to take everybody off their existing jobs to focus on this, but there are serious implications, not only economic but political and otherwise, and I think real resources need to be put to the issue.